Differences

This shows you the differences between two versions of the page.

--- it_tips:ssh [2017/05/03 11:41]
florido
+++ it_tips:ssh [2017/05/03 15:40]
florido [SSH key pair quick setup]
@@ Line 69: / Line 69: @@
 :!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!:
-This tutorial is nice:
+I will give you a set of quick steps how to setup ssh keys. But it is important that one understands the concepts behind, so please read the sections below.
-https://wiki.archlinux.org/index.php/SSH_Keys
-:!: the below part of the document is work in progress. :!:
 ==== What is SSH PKI ====
@@ Line 82: / Line 77: @@
   * A **Private** key that should be kept secure at all times and only readable by your user
-These user keys are usually stored in the user's ''~/.ssh/'' folder, the default names are ''id_rsa'' (private) and ''id_rsa.pub'' (public). But one can choose any location and any name.
+=== Host keypairs ===
-The machine keys are usually stored in the ''/etc/ssh/'' system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas,
+The machine or host keys are usually stored in the ''/etc/ssh/'' system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas,
 their names being like ssh_host_<schema> (private) and ssh_host_<schema>.pub (public).
 In the example below, note how the private key is readable and writable ONLY by root while all the ''.pub'' ones are readable by everyone (but not writable!)
@@ Line 108: / Line 103: @@
 </code>
-Every time a user connects to a server, the server presents the fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints, so if you're unsure, ask me!
+==== What happens when connecting to a server ====
+Every time a user connects to a server, the server presents its key fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints, so if you're unsure, ask me!
 When a fingerprint is accepted, it is stored in the user's home folder inside the file ''~/.ssh/known_hosts'' in encrypted form:
@@ Line 121: / Line 118: @@
 2f:21:6b:19:fc:fc:9d:62:8f:88:c2:2b:c4:d6:0c:70 |1|vyeQU5q0QfKZzq9/helQLGGK9s4=|ZN50r7hlYRTlCeSEXzzz+80XZKw= (RSA)
 </code>
+==== User keypairs ====
+These user keys are usually stored in the user's ''~/.ssh/'' folder, the default names are ''id_rsa'' (private) and ''id_rsa.pub'' (public). But one can choose any location and any name.
+A user key can have a password or not. :!: **It is strongly discouraged to use passwordless keys. Should your private key get stolen, this will generate an enormous security breach.** :!:
+The password is used to "unlock" the key, that is, to allow the ssh client (more precisely, the ssh-agent )to use it to connect on the user's behalf.
 ==== Using user ssh key pair to login ====
@@ Line 136: / Line 141: @@
   * ''ssh-agent'' : takes care of remembering which key as been used for which host, remembers key password
+==== SSH key pair quick setup ====
+We will generate a public/private key pair called //myid_rsa// and //myid_rsa.pub// and copy it to a machine called ''watto.matfys.lth.se'' in order to login to it.
+  - Generate a private/public keypair **with password** and strong encryption((NIST complexity recommendations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)): Command: <code:bash> ssh-keygen -b 4096 -f ~/.ssh/myid_rsa</code>Result:<code:bash>
+Generating public/private rsa key pair.
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /nfs/users/floridop/.ssh/myid_rsa.
+Your public key has been saved in /nfs/users/floridop/.ssh/myid_rsa.pub.
+The key fingerprint is:
+d:1d:94:b9:71:35:59:f8:79:26:92:b5:a3:f5:d4:e3 pflorido@tjatte.hep.lu.se
+The key's randomart image is:
++--[ RSA 4096]----+
+|          .o .o+.|
+|         .+ . +. |
+|          .+ o oo|
+|         o..o =o*|
+|        S o  +.*o|
+|         .  .  E.|
+|                 |
+|                 |
+|                 |
++-----------------+
+</code>
+  - Make sure the permissions are correct: Commands:<code:bash>chmod 600 ~/.ssh/myid_rsa; chmod 644  ~/.ssh/myid_rsa.pub; ls -ltrah ~/.ssh/myid_rsa*</code>Result:<code:bash>
+-rw------- 1 pflorido hep 3,3K maj  3 13:59 /nfs/users/floridop/.ssh/myid_rsa
+-rw-r--r-- 1 pflorido hep  751 maj  3 13:59 /nfs/users/floridop/.ssh/myid_rsa.pub
+</code>
+  - Copy the key to the target server, say watto: Command:<code:bash>ssh-copy-id -i ~/.ssh/myid_rsa pflorido@watto.matfys.lth.se</code>Result:<code:bash>
+/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
+/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
+Password:
+Number of key(s) added: 1
+Now try logging into the machine, with:   "ssh 'pflorido@watto.matfys.lth.se'"
+and check to make sure that only the key(s) you wanted were added.
+</code>
+  - Add the key to the agent keyring:Command:<code:bash>ssh-add ~/.ssh/myid_rsa</code>Result:<code:bash>
+Enter passphrase for /nfs/users/floridop/.ssh/myid_rsa:
+Identity added: /nfs/users/floridop/.ssh/myid_rsa (/nfs/users/floridop/.ssh/myid_rsa)
+</code>
+  - Try to login to the server **using the identity created**: Command:<code:bash>ssh -i ~/.ssh/myid_rsa.pub pflorido@watto.matfys.lth.se</code>
+You can now create entries in your ''~/.ssh/config'' file to use tunnelling as described in [[#Speedup connection using tunneling]], and the agent should automatically forward your keys.
+===== Debugging SSH problems and useful commands =====
+The best to debug is to enable ssh verbose mode:
+<code:bash>ssh -vv pflorido@watto.matfys.lth.se</code>
+==== See which keys are tried by the agent ====
+<code:bash>ssh-add -l</code>
+==== Delete a key from the agent keyring ====
+<code:bash>ssh-add -d ~/.ssh/myid_rsa</code>
+==== Check if the agent is running ====
+<code:bash>ps aux | grep ssh-agent</code>
+==== Remove an offending key from known_hosts ====
+<code:bash>ssh-keygen -R <hostname></code>
+==== Remove an offending key from known_hosts ====
+<code:bash>ssh-keygen -R <hostname or IP></code>
 ====== References ======
+  * Arch linux SSH PKI tutorial, https://wiki.archlinux.org/index.php/SSH_Keys

pfwiki

User Tools

Site Tools

Differences

Page Tools